Analyse Software In A Remote Secure Environment
Several remote services are available on the Internet that let you analyze submitted software programs or files for malicious content. It is like an online virus scanner so to speak.
Among them are Virus Total which uses more than fourty different antivirus engines to scan submitted files. All of them have one thing in common: they scan and analyze the uploaded file using signature databases and maybe heuristic methods which means that they may miss malicious code.
The benefit of a security scan in a remote secure environment is that the uploaded file or computer software programs get executed and analyzed while it is running which is different from analyzing a file while it is not running.
CW Sandbox is a web service with a similar looking frontend to all the other online virus scanners. What sets it apart is the remote secure environment that it uses to execute and analyze the files that get uploaded. It uses a sandbox to execute the file. and it will log all system activity that is connected to the file launch. The file analysis contains a summary but also a detailed list of changes to the file system, the Windows Registry and network activity plus a technical summary with additional information.
Each report is divided into different categories. The File Changes for example contains categories that list newly created, opened and deleted files and a summary that lists all file operations in chronological order. The network activity analysis will detail connections that have been established including host names, IP addresses and if data has been posted to one of those addresses.
The submit form on the website of the project accepts files with a maximum size of 16 Megabytes. Zip files with up to 50 files can be uploaded to the service as well if the password is set to "infected". A link to the file analysis will be send to the email address that the user enters when submitting the files.
CW Sandbox is an excellent online service that provides an in depth analysis of submitted files. The only drawbacks are the 16 Megabyte file size limit and that the reports are send to an email address with an undefined wait time. A ticket system on the website directly detailing the place in queue and the estimated wait time would be really helpful for users who are submitting files to the service.
Update: The service is not freely available anymore on the web. It is only available as a professional service and called ThreatAnalyzer now.
Service is mostly for advanced users. I submitted a file known to deploy malware. The results came within minutes and were very detailed, including all changes made to the system. However, you have to analyze those changes yourself to determine if it is malware. I could not find anywhere that said MALWARE DETECTED. So, it details the symptoms but gives no diagnosis.
There are a few similar online services eg.Anubis and ThreatExpert. Or you could just run it offline sandboxed, with a registry/traffic connection monitor.